| 9091 |
2021-06-22 09:41
|
dl.php.doc 2775135ed5569787e253e62a238b1358
Gen2 OS Processor Check MSOffice File unpack itself DNS |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9092 |
2021-06-22 09:42
|
 dl.php.vbs 45ad07c4795ff6b95f6b5c60b9fa8fc2crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9093 |
2021-06-22 09:43
|
M0031.cab 3b211b5eb6787043deba29c207c37bb0
Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9094 |
2021-06-22 10:18
|
 file.exe e0c4171c0bb82cf52647b0ccbfd6f3e3
Generic Malware Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.4 |
|
33 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9095 |
2021-06-22 11:14
|
 tbCgXlQIMjI1kIcB.jpg.ps1 55dae81112baf10e1cdbfad99c922ce8
Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
2.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9096 |
2021-06-22 11:20
|
 GT2pFbB.dll 4e5fc6111da7ec4512257864ded2f43b
Generic Malware UPX Malicious Library PE File PE64 DLL VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
5 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9097 |
2021-06-22 12:14
|
purchase order.exe 43955364f71a38a2af68a9c85ce5c7af
AsyncRAT backdoor PWS .NET framework Generic Malware Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9098 |
2021-06-22 12:20
|
BNTS_CHT_ONLNE.msi 22d9cae00205d10fdddde71ca75ebc02
Gen2 Antivirus OS Processor Check MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
|
|
|
3.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9099 |
2021-06-22 13:54
|
プロフォーマインボイス pdf.exe 88b341b9e1d4b70baaa827d7b06e2456
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization DNS |
1
http://detectportal.firefox.com/success.txt?ipv4
|
4
detectportal.firefox.com(34.107.221.82)
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
mozilla.org(44.236.48.31)
34.107.221.82
|
|
|
3.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9100 |
2021-06-22 15:24
|
プロフォーマインボイス pdf.exe 88b341b9e1d4b70baaa827d7b06e2456
Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.2 |
|
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9101 |
2021-06-22 15:31
|
http://122.114.198.100/www/vbc... 5beae2f6cea2c9f92ab4e2b34dfac0d4
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downlo Malware download VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
1
http://122.114.198.100/www/vbc.exe
|
1
122.114.198.100 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.0 |
|
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9102 |
2021-06-22 18:08
|
 ................................. f418946469f4edf5fd007c9767eeb14b
RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.125.191.125/http/vbc.exe
http://bnbrokenhead.cf/Bn4/fre.php
|
3
bnbrokenhead.cf(104.21.2.166)
103.125.191.125
172.67.186.250
|
15
ET INFO DNS Query for Suspicious .cf Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.cf Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
4.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9103 |
2021-06-22 18:09
|
 vbc.exe 357e95c47c4b8666b0fe33277a37f376
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution DNS crashed |
|
|
|
|
3.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9104 |
2021-06-22 18:10
|
 vbc.exe 8da587a72663d0312b35d53f4d45735c
PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://bnbrokenhead.cf/Bn4/fre.php
|
2
bnbrokenhead.cf(172.67.186.250)
104.21.2.166
|
9
ET INFO DNS Query for Suspicious .cf Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.cf Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
8.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9105 |
2021-06-22 18:13
|
 prince_of_persia_P_v4_x86.exe 28906318e1bfa9949cd086e807a0f220
AsyncRAT backdoor Generic Malware PE File OS Processor Check PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
20
https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/2ee38670-d342-4fec-99b0-a4f7f4bea0e4/?poP7OSkLBNturHY
https://nidhoggr.club/jasmina/jaquenette/obscure/dull/dormant?strange=cheerless5039d36f-1fe0-46d6-a3bc-d0d81257b6fe/?poP7OSkLBNturHY
https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/
https://nidhoggr.club/noised/noiseful/malicious/drab/unbeaten/shadow/39152ab9-6ffb-4b19-811e-e9538a897d93/?poP7OSkLBNturHY
https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised994b6e21-8a8f-4128-bfc4-7637963c9483/?poP7OSkLBNturHY
https://nidhoggr.club/turbulent/Ivette/nova/dull/fighter?fading=isabellaff06fa1a-1992-43ef-9704-2913c9b2299e/?poP7OSkLBNturHY
https://nidhoggr.club/dreary/dull/Isahella/isobel/cheerless/dull/cheerless/noisefulness/counternoise?spy=champion7312d3e3-fe83-4e36-a09f-2faea02ce400/?poP7OSkLBNturHY
https://nidhoggr.club/isabelle/Hulda/dark/isabella?crepuscular=isadoradcc4d3c3-0e97-40ed-98bc-e856a5c2f8ca/?poP7OSkLBNturHY
https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardousd1cdbebf-220a-4726-87c6-1c3855c9c262/?poP7OSkLBNturHY
https://nidhoggr.club/Gizela/unrecognized/noiselessly/colorless/nova?Odilia=janayaeb53ebd1-51a1-41df-8408-4370caceac3e/?poP7OSkLBNturHY
https://nidhoggr.club/dim/hildagarde/grey/Iseabal/7326892f-c4f3-4728-9b5e-a22d33c3b139/?poP7OSkLBNturHY
https://nidhoggr.club/subreptice/corrosive/slither/evil/suzie/undiscovered/unbeaten/noiselessly/Isidora/noisemaking/ivy?giustina=dark10f9ba50-c5d1-4e00-ab9e-541e6144061f/?poP7OSkLBNturHY
https://nidhoggr.club/Hildagard/ivory/spy/evil/Hyacintha/unrecognized/quiet/Hyacintha/ghost/dark/ae029445-9427-40f7-bb59-2b36300b52e6/?poP7OSkLBNturHY
https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardous1e58acfe-6387-4707-b70e-6e95181f902f/?poP7OSkLBNturHY
https://nidhoggr.club/jaquelyn/stygian/corrosive/drab/jaquith/hyacinthe/hunter/Hope/winterly/joyless?colorless=iviee714bab2-5dfd-491a-a93f-d380656997c1/?poP7OSkLBNturHY
https://nidhoggr.club/suzie/suzette/nuclear/unknown/metallic/discreet/undercover/dark?ivy=isis7da76ce4-eabc-48f5-b3df-769296a4b738/?poP7OSkLBNturHY
https://nidhoggr.club/Gizela/ivie/jaquelyn/isabelita/Honor/noiseless/780990e3-289e-448e-9ae9-2674b0e3f3a2/?poP7OSkLBNturHY
https://nidhoggr.club/noisefulness/Hyacinth/ballistic/hynda?silent=faultyc5390449-e189-426e-a0a4-7167c229cd83/?poP7OSkLBNturHY
https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised1e38d28d-61d7-460d-a3f0-89548c65ef63/?poP7OSkLBNturHY
https://nidhoggr.club/dolorous/sneaky/janaya/5055beb4-7979-414a-bfc0-644fa8e029fb/?poP7OSkLBNturHY
|
2
nidhoggr.club(185.112.146.165) - malware
185.112.146.165 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|